BlackHat News: Tool for Detecting TRITON/TRISIS Malware Released

Posting ID 116677
Date Added: 08/9/2018 1:25 PM EDT
Date Modified: 08/9/2018 2:51 PM EDT
Jeff Jones | E-ISAC Staff


A team of ICS experts who spent the past year studying and re-creating the so-called TRITON/TRISIS malware that targeted a Schneider Electric safety instrumented system (SIS) at an oil and gas petrochemical plant has developed open source tools for detecting it.

The researchers demonstrated how the malware works, as well as a simulation of how it could be used to wage a destructive attack. Nozomi Networks recently released the TriStation Protocol Plug-in for Wireshark that the researchers wrote to dissect the Triconex system's proprietary TriStation protocol. The free tool can detect TRITON malware communicating in the network, as well as gather intelligence on the communication, translate function codes, and extract PLC programs that it is transmitting. 

They subsequently added a second free TRITON defense tool, the Triconex Honeypot Tool, which simulates the controller so that ICS organizations can set up SIS lures (honeypots) to detect TRITON reconnaissance scans and attack attempts on their safety networks. 

While analyzing TRITON, the Nozomi researchers also stumbled on a built-in backdoor maintenance function in the Triconex TriStation 1131 version 4.9 controller.

"We also found two undocumented power users with hard-coded credentials," Nozomi wrote in a blog post today. "One of the power user's login enabled a hidden menu, which from an attacker's perspective, could be useful."

Category Type:
Cyber Security
TLP - White
Shared Count (3)
  • CRISP - Cyber Risk Info Sharing Program
  • E-ISAC AOO Members
  • E-ISAC Staff
Change History
  • Jeff Jones, 08/09/2018